From owner-freebsd-security Thu Jul 2 02:56:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA17552 for freebsd-security-outgoing; Thu, 2 Jul 1998 02:56:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA17533 for ; Thu, 2 Jul 1998 02:56:08 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA01571; Thu, 2 Jul 1998 05:54:16 -0400 (EDT) From: "Allen Smith" Message-Id: <9807020554.ZM1570@beatrice.rutgers.edu> Date: Thu, 2 Jul 1998 05:54:16 -0400 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 2, 1:55am) References: <199807020855.BAA23399@implode.root.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: dg@root.com Subject: Re: bsd securelevel patch question Cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 1:55am, David Greenman (possibly) wrote: > Well, someone will have to convince me that delegating access on a port > by port basis is necessary in the first place. I'd personally be happy with > a simple privilege that allows binding to ports <1024. Daemon spoofing. Let's say I've set up a web server that binds to port I want to reduce the risks from this, so I (under your scheme) give the server a privilege that enables it to bind (I'm assuming binding for reception of incoming stuff only, given rsh et al) to any TCP port below 1024. Cracker notices that I've made a goof in writing a cgi script (or the author of the webserver has goofed), and proceeds to crack it such that he can run any arbitrary program under that uid, with that privilege (this will be the case if it's run as a uid instead of setuid). Now, run a program via cron on a very frequent basis that tries binding to the smtp, ssh, or other significant port not run through inetd. This enables mail interception for smtp, password interception for ssh, etcetera. With the exception of a syslog'd error message from the smtp program, this won't be spotted in that case if the cracker then uses sendmail's -bs flag, or the equivalent for other mail programs. Ssh is admittedly going to get spotted pretty soon, but one interception of the root password (or an interception of a password a person uses across systems) is going to be enough to create problems. There are probably other vulnerabilities that I haven't thought of; going off of the least privilege principle seems the best. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message